[Dnsmasq-discuss] Restrict DNS reply to specific clients

Guy Wijnants Guy.Wijnants at Imtech-Telecom.Be
Wed Feb 3 11:24:26 GMT 2016


Hi Albert,

Thank you for the quick response.
You can compare our DNS server as kind of an ISP DNS server in the way that it hosts public domains and acts as DNS resolver for our clients.
If I enable dnsmasq all queries are passed to dnsmasq to check whether the domain needs to be blocked, if it does not need to be blocked dnsmasq will pass the query through to the named service which further handles the query.
But dnsmasq does not have something like the allow option to limit the hosts that can query the server.

Situation now:
Everyone can set our DNS server as their primary DNS server as dnsmasq does not filter to who can query the DNS server. In the named service you have the option to filter who can query the DNS server  (allow-recursion function).
But because our dnsmasq speaks to the named service using its own ip, the named service always allow the query and no filtering is done whatsoever.
Example:
Our server is master of the public domain www.iammaster.com
You at home set our DNS (we give it ip 193.0.0.1) server as its primary DNS server. You query www.google.com and our server WILL respond with the corresponding IP. You query www.iammaster.com and our server WILL respond with the corresponding IP.
Our clients (in network 192.168.0.0/24) sets our server as its primary DNS server and query www.google.com and our server WILL respond with the corresponding IP.

Situation I need:
People from the internet cannot set our DNS server as their primary DNS, our clients with network for example 192.168.0.0/24 can query our DNS server.
Our DNS server ofcourse still responds to the query for public domains where it is master from.
Example
You at home set our DNS (we give it ip 193.0.0.1) server as its primary DNS server. You query www.google.com and our server WILL NOT respond as you are not allowed to query our server.
You set a different DNS server as your primary DNS (8.8.8.8 for example) and you query www.iammaster.com and our server WILL respond with the corresponding IP for this domain.
Our clients (in network 192.168.0.0/24) sets our server as its primary DNS server and query www.google.com and our server WILL respond with the corresponding IP. Our clients query www.iammaster.com and our server WILL respond with the corresponding IP for this domain.

Configuration now:
Dnsmasq listen on ip 193.0.0.1 port 53 when the site is allowed to be resolved dnsmasq passes the request to 193.0.0.1:5353 (where our named service listens on).
The 'allow-recursion { localhost; x.x.x.x/24; y.y.y.y/24; };' is bypassed as dnsmasq use 193.0.0.1 (or localhost) as source address (and not the originating source ip of the requestor) for the query.

Thanks in advance for your support!

Best regards,

Guy


-----Original Message-----
From: Albert ARIBAUD [mailto:albert.aribaud at free.fr] 
Sent: woensdag 3 februari 2016 11:52
To: Guy Wijnants
Cc: dnsmasq-discuss at lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Restrict DNS reply to specific clients

Hi Guy,

Le Wed, 3 Feb 2016 10:30:02 +0100
"Guy Wijnants" <Guy.Wijnants at Imtech-Telecom.Be> a écrit:

> Hi all,
> 
> I have a DNS server that is master for some public domains. We also 
> have clients that use the DNS server as their lookup server.
> For security issues we use dnsmasq to redirect some sites to a webpage 
> that indicates that the site is not accepted.
> I have setted the dnsmasq before the named service. But this means 
> that all internet clients can use our DNS server to query requests 
> which is not good. I want to restrict the possible query requests to 
> only our client networks.
> I had a filter setted up under the named service:
> 	allow-recursion { localhost; x.x.x.x/24; y.y.y.y/24; }; Dnsmasq uses 
> the port 53 and if no match is made on the blocked list he forwards it 
> to himself on port 5353 where the named.service runs.
> The named service sees the request as coming from localhost and does 
> the recursion.
> I am sorry if this is unclear, I am not so familiar with dns or 
> dnsmasq. If its not clear please says so and I will try to be more 
> detailed. Version of dnsmasq: dnsmasq-2.65-6.fc17.x86_64 Thanks all in 
> advance

I am not sure I understand either your need or the actual situation, but I gather the issue is "some requests are servers which should not have".

Can you provide detailed scenarios, both for use case which work as you intend and for use cases which do not work as you intend? For each scenario, please describe where the request originates, which server it passes through, and (for failure scenarios) whether it should not have.

> Best Regards,
> 
> Guy Wijnants

Amicalement,
--
Albert.


More information about the Dnsmasq-discuss mailing list